[c-nsp] SPAN - 6509 Switch

Tim Stevenson tstevens at cisco.com
Thu Mar 17 16:18:54 EST 2005 

You may want to remove the monitor session & do a "default interface 
gig6/47" then reapply the span. Was there ever a trunking configuration on 
this span dest port?

Tim


At 12:14 PM 3/17/2005, Paul Stewart declared:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Thanks for the response Tim...
>
>I've tried it with the physical interfaces instead of VLAN's and am only
>getting Vlan1 based traffic....
>
>Here's output:
>
>gw-6509-1#sh monitor session 1
>Session 1
>- ---------
>Type                   : Local Session
>Source Ports           :
>~    Both               : Gi1/2
>Destination Ports      : Gi6/47
>
>gw-6509-1#sh interfaces GigabitEthernet 6/47
>GigabitEthernet6/47 is up, line protocol is down (monitoring)
>~  Hardware is C6k 1000Mb 802.3, address is 0004.defd.f40a (bia
>0004.defd.f40a)
>~  Description: Capture Port - Paul
>~  MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,
>~     reliability 255/255, txload 219/255, rxload 1/255
>~  Encapsulation ARPA, loopback not set
>~  Keepalive set (10 sec)
>~  Full-duplex, 100Mb/s
>~  input flow-control is off, output flow-control is off
>~  Clock mode is auto
>~  ARP type: ARPA, ARP Timeout 04:00:00
>~  Last input never, output never, output hang never
>~  Last clearing of "show interface" counters 3w3d
>~  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>~  Queueing strategy: fifo
>~  Output queue: 0/40 (size/max)
>~  5 minute input rate 0 bits/sec, 0 packets/sec
>~  5 minute output rate 115929000 bits/sec, 35658 packets/sec
>~  L2 Switched: ucast: 2 pkt, 128 bytes - mcast: 0 pkt, 0 bytes
>~  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
>~  L3 out Switched: ucast: 0 pkt, 0 bytes
>~     1594 packets input, 192040 bytes, 0 no buffer
>~     Received 415 broadcasts (0 IP multicast)
>~     0 runts, 0 giants, 0 throttles
>~     2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>~     0 watchdog, 0 multicast, 0 pause input
>~     0 input packets with dribble condition detected
>~     83970921 packets output, 35914120731 bytes, 0 underruns
>~     0 output errors, 0 collisions, 4 interface resets
>~     0 babbles, 0 late collision, 0 deferred
>~     0 lost carrier, 0 no carrier, 0 PAUSE output
>~     0 output buffer failures, 0 output buffers swapped out
>
>
>Now, I"m actually trying to monitor something a little smaller but was
>experimenting.. it looks like the session is working.... must be an
>ethereal issue.... would that sound right?
>
>I"m just using my notebook computer with XP and Ethereal loaded to try
>and find what kind of traffic we are passing right now... we're having
>some weird issues on our system....
>
>On Ethereal, I'm only processing about 5 packets a second... I can
>understand that I'm not going to process thousands a second on an XP
>notebook but just looking for a feel...
>
>Any input would be appreciated..
>Paul
>
>
>Tim Stevenson wrote:
>| Both is the default, if you don't specify, you get both tx & rx.
>|
>| Was the config you posted from the switch or hand-typed? eg, could the
>| source & dest monitor session #s be mismatched/incorrect? Perhaps post a
>| show monitor.
>|
>| Tim
>|
>| At 10:53 AM 3/17/2005, Paul Stewart declared:
>|
>| oops... :)  going to try "both" and go from there...
>|
>| thanks for the feedback...
>|
>| Paul
>|
>|
>| Voll, Scott wrote:
>| | Did you use monitor session 1 source vlan 50 both?  What Sup are you
>| | using?
>| |
>| | -----Original Message-----
>| | From: Paul Stewart [mailto:pauls at nexicom.net]
>| | Sent: Thursday, March 17, 2005 10:34 AM
>| | To: Voll, Scott
>| | Cc: cisco-nsp at puck.nether.net
>| | Subject: Re: [c-nsp] SPAN - 6509 Switch
>| |
>| | Basically I want to sniff all the traffic going through that VLAN
>| | inbound/outbound.  When I do sniff I only seem to stp and vtp traffic..
>| | a little arp but that's it..
>| |
>| | Vlan50 has over 50 Mb/s of data on it
>| |
>| | Does that answer your question? :)
>| |
>| | Paul
>| |
>| |
>| | Voll, Scott wrote:
>| | | What do you mean by not getting a Mirror? Are you not receiving TX or
>| | RX
>| | | or Both?  Or are you looking for inter Vlan traffic?
>| | |
>| | |
>| | |
>| | | -----Original Message-----
>| | | From: cisco-nsp-bounces at puck.nether.net
>| | | [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
>| | | Sent: Thursday, March 17, 2005 10:26 AM
>| | | To: cisco-nsp at puck.nether.net
>| | | Subject: [c-nsp] SPAN - 6509 Switch
>| | |
>| | | Hi there...
>| | |
>| | | I'm trying to capture all traffic in particular VLAN's and mirror
>| them
>| | | to a port on our 6509.  Then use Ethereal to see what's going on
>| | inside
>| | | of these VLAN's .... we're seeing a TONNE of ARP and ICMP traffic
>| | | throughout our system and I need to figure out why...
>| | |
>| | | Here's what I've got:
>| | |
>| | | interface GigabitEthernet6/47
>| | | ~ description Capture Port - Paul
>| | | ~ no ip address
>| | | ~ switchport
>| | | ~ no cdp enable
>| | |
>| | | interface Vlan50
>| | | ~ description RAS Gear/Routers
>| | | ~ ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>| | | ~ ip access-group 100 out
>| | | ~ no ip redirects
>| | |
>| | |
>| | | monitor session 1 source vlan 50
>| | | monitor session 1 destination interface Gi6/47
>| | |
>| | |
>| | | When I plug into Gig 6/47 I don't get a "mirror" of everything on
>| | | Vlan50... why not? :)  I need to sniff inside of VLAN's on a 6509 so
>| | any
>| | | input is much appreciated...
>| | |
>| | | Thanks,
>| | |
>| | | Paul
>| | |
>|>
>|>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>| Tim Stevenson, tstevens at cisco.com
>| Routing & Switching CCIE #5561
>| Technical Marketing Engineer, Catalyst 6500
>| Cisco Systems, http://www.cisco.com
>| IP Phone: 408-526-6759
>| ********************************************************
>| The contents of this message may be *Cisco Confidential*
>| and are intended for the specified recipients only.
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.0 (MingW32)
>
>iD8DBQFCOeUYqMetgU57IuQRAszAAJwOMqIEnzUDU9IZ98+Ru3xbEvbE2ACfZTuq
>ErkffORl/sPMU+2DGv/Q8CM=
>=LZ6q
>-----END PGP SIGNATURE-----
>
>



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list